Flexera: 20,000 New Software Flaws Found in 2017

The number of new software vulnerabilities discovered by Flexera in 2017 reached nearly 20,000 – an all-time high.

The firm’s Secunia Research division monitors more than 55,000 applications, appliances and operating systems to gain valuable insight into the level of potential risk organizations are exposing themselves to.

Its Vulnerability Review 2018 revealed an increase in software flaws of 14% – up from 17,147 in 2016 to 19,954 last year. Some 17% were rated as “highly critical,” although this figure was largely unchanged from the previous year.

As per the previous year, the primary attack vector used to trigger a vulnerability was via a remote network (55%), followed by a local network (32%).

The good news for firms is that avoiding attacks which exploit these vulnerabilities is possible, as patches were available for 86% on the day of disclosure. In fact, zero-day threats are increasingly rare: just 14 of the 19,954 known vulnerabilities in 2017 were zero-days, a 40% decrease from 2016.

However, organizations are not making the most of available intelligence on vulnerabilities, which would help them prioritize which ones to patch, the report claimed.

In addition, deficiencies in operational processes can create major disruptions when big breaches hit the headlines.

“There’s no question based on this year’s results, the risks remain high,” said Kasper Lindgaard, director of research and security at Flexera. “As the potential for breaches expands, the pressure is on executives to increase vigilance through better operational processes – instead of reacting to risks that hit media headlines and cause disruption. The Equifax breach and WannaCry attacks taught us that.”

He added that the gap between identifying and fixing vulnerable applications must close.

“The process cannot be ad hoc. Without a consistently applied patching methodology, organizations will slip, leaving vulnerabilities unpatched for long periods. This gives criminals a large window of opportunity to execute their attacks. We advise a formal, automated software vulnerability management process that leverages intelligence to identify risks, prioritize their importance and resolve threats.”